Commentary: Charting a course through data privacy

Listen to this article

Businesses across various sectors are now navigating a complex landscape of data privacy regulations, as the importance of safeguarding personal information continues to gain traction with state legislatures. With an increasing emphasis on privacy rights, several states in the U.S. have introduced or updated data protection laws, signaling a significant shift in how businesses handle consumer data. Already in April this year, three new states have joined the ranks of those with consumer data privacy legislation.

At the time this article was authored, 17 states have enacted data privacy laws, including California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia. Additionally, numerous states are in the process of drafting their own legislation. While specific requirements vary from state to state, and there is no certainty that a uniform federal standard will emerge anytime in the near future, there is notable overlap in what businesses must do to comply with these state regulations. Therefore, it is prudent for businesses to proactively prepare for potential expansion into these markets.

Here’s a concise breakdown of what businesses need to consider regarding data privacy:

1. Comprehensive privacy policies: Every business must have a detailed privacy policy outlining the types of data collected and its intended use. This is now a fundamental requirement for businesses collecting customer information.
2. Data processing agreements: Businesses acting as data controllers and collaborating with third parties must establish agreements to ensure these parties adhere to the designated data management protocols.
3. Implementation of data security measures: It’s imperative for businesses to establish robust frameworks to secure the data they collect, ensuring protection against unauthorized access or breaches.
4. Data protection assessments: Many states mandate businesses to conduct comprehensive assessments related to the personal data they collect. These assessments typically include evaluating project purposes, data processing needs, privacy risks, and mitigation strategies.
5. Opt-in consent for sensitive data: In most states, businesses must obtain explicit consent from customers before collecting sensitive data, which varies in definition across states but generally includes information related to race, health, sexual orientation, etc.
6. Data minimization: Nearly all states require businesses to limit the collection and retention of personal data to what’s necessary for specific purposes. This ensures that only relevant information is processed and retained for the required duration.
7. Duty to avoid secondary use: Data controllers are prohibited from processing personal data for purposes unrelated to the specified objectives without obtaining the consumer’s consent.

As of May 19, 2024, Minnesota has officially passed the Minnesota Consumer Data Privacy Act, marking a significant step toward enhancing consumer data protection in the state. This new law introduces several key provisions aimed at giving Minnesota residents more control over their personal information and aligns with broader data transparency trends seen across the country.

Key provisions of the Minnesota Consumer Data Protection Act:

1. Right to know and access: Consumers can access their personal data processed by businesses.
2. Right to correct: Consumers can correct any inaccuracies in their personal data.
3. Right to delete: Consumers have the right to delete their personal data.
4. Right to obtain a copy: Consumers can obtain a copy of their personal data.
5. Right to opt out: Consumers can opt out of:

• Targeted advertising.
• Sale of personal data.
• Profiling with significant consequences.

6. Right to list of third parties: Consumers can obtain a list of third parties to whom their data has been disclosed.

These rights are designed to empower consumers with more control over their personal information and ensure greater data transparency.

Universal opt-out mechanism: The law mandates the establishment of a universal opt-out mechanism, similar to California’s privacy laws, to simplify the opt-out process for consumers. This will allow consumers to communicate their privacy preferences across platforms efficiently.

Protection for sensitive data: Businesses must obtain explicit consent to process sensitive data, which can be revoked at any time. This offers further protection, particularly for vulnerable groups such as children aged 13-16, who are protected from targeted advertising and data sales without consent.

Compliance requirements for businesses: Businesses must conduct comprehensive “data privacy and protection assessments” to demonstrate compliance with the law. These assessments will detail the policies and procedures put in place to protect consumer data. The Minnesota Attorney General, responsible for enforcing the law, can request these assessments during investigations. Noncompliance could result in civil lawsuits with penalties up to $7,500 per violation.

Additional business obligations:

• Businesses are required to implement reasonable security measures to protect personal data.
• They must provide clear and conspicuous privacy notices to consumers detailing how their data will be used.
• The act also mandates that businesses conduct regular data protection training for employees handling consumer data.

Effective date: The Minnesota Consumer Data Privacy Act is set to take effect on July 31, 2025, except postsecondary institutions will have an additional four years to comply with the law.

Impact and future considerations: This legislation marks a critical advancement in protecting consumer data in Minnesota, setting a precedent for other states considering similar laws. It is essential for both consumers and businesses to stay informed about these changes and prepare for the new compliance requirements to ensure a smooth transition when the law takes effect.

In light of these evolving regulations, executives and business owners should take proactive steps:

• Review current privacy policies: Ensure alignment between existing privacy policies and actual data handling practices.
• Legal compliance check: Engage legal experts experienced in data privacy law to review privacy policies and ensure compliance with state regulations.
• Assign responsibility: Designate a responsible individual within the company to oversee data privacy compliance and response to consumer requests.
• Test response procedures: Conduct tests to evaluate the company’s ability to respond effectively to consumer requests, ensuring readiness to address privacy concerns.

While many people have waited to see if the U.S. federal government will take action on consumer data privacy that would put an end to the patchwork of individual state laws, no such action is expected to occur at least in the foreseeable future. In the meantime, prior to any federal standard, business owners are well advised to stay informed and taking proactive measures to comply with data privacy laws. Failure to maintain compliance will increase a business’ risk of being sued and/or having governmental regulator scrutiny.

 This article was drafted by Jon Farnsworth, and Jack Amaral technology and privacy attorneys in the Minneapolis office of Spencer Fane LLP. For more information, please visit spencerfane.com.